1. Field of Invention
The present invention relates to an apparatus and associated methods for strengthening a user-entered password after the password has been entered through a keyboard, but before the password is committed to the host system for authentication.
2. Prior Art
Securing access to precious resources through the use of secret passwords has been a common practice throughout history. In the book “Arabian Nights”, Ali Baba uses a magical password to gain access to a great treasure. Modern computer systems continue to rely on the concept of secret passwords to protect sensitive computer and network resources. Newer authentication mechanisms, such as smartcards and biometric identification devices are becoming more commonplace, but password authentication remains the most common mechanism for protecting sensitive computer resources. However, the prevalence of password authentication has become a dilemma for computer users desiring to access computer resources, and for computer administrators needing to protect those resources.
A few of the challenges facing users are:
Remembering multiple passwords used across multiple systems.
Recalling the new password after a password change has been made.
Remembering the current password after a long period of time has passed since the password was last used.
Inventing new passwords that can be easily remembered but cannot be easily guessed.
Collateral damage when a single password is used across multiple systems and that password is discovered—all of the accounts using that common password are now at risk.
Challenges facing system administrators are:
Users creating weak passwords that can be easily remembered but easily broken.
Users writing down strong passwords because such strong passwords cannot be easily remembered.
Users reusing passwords across various systems—for example using a corporate password on a questionable Internet site.
These difficulties with passwords are overcome by smartcard and biometric authentication devices. However, these new technologies have their own inherent problems:
Smartcards without passwords can be lost or stolen, and then used by unauthorized users.
Biometric devices can wrongly authenticate unauthorized users (false positive), and fail to authenticate authorized users (false negative).
Simple biometric devices such as fingerprint scanners can be easily fooled by clever tactics.
Smartcard and biometric readers must be purchased for each point of access, increasing the cost of ownership.
Additional personnel, software and infrastructure beyond the existing system may be needed to support these devices.
Biometric devices will continue to coexist with password based authentication mechanisms, resulting in two methods of authentication, and making the overall system more complicated for users.
Several approaches in the prior art have attempted to mitigate the known problems inherent with using user passwords for authentication.
U.S. Pat. No. 6,079,021 by Abadi et al is a method of authentication. Initially, an original access code is created by combining the user password with a supplement value of random bits. In operation, the Abadi technique then iterates through all possible supplement values in combination with the user password until the computed trial access code matches the original access code. If a match is found then access is granted, otherwise access is denied. As can be seen, this invention is an authentication method. This method may be incorporated into an operating system kernel for the purposes of authentication, but is not applicable to the problems associated with existing computer systems.
U.S. Pat. No. 6,134,661 by Topp is a method of encrypting a password on a computer. A user activates the invention and then enters a password. The Topp invention is placed between the keyboard and the computer, and encrypts the password characters as they pass through the Topp invention. The Topp invention is therefore connected in series with the user keyboard and the computer system. This approach requires a special keyboard with the device embedded in the keyboard to be connected to the host computer, or for the device to be connected between a regular keyboard and the host computer. Such a device would not work in an ad hoc computing environment, such as a public library or pay-as-you-go office facility where it would be forbidden for a user to disconnect the system keyboard to insert the device.
U.S. Pat. No. 6,662,300 by Peters is a method of improving a password on a computer network by obtaining a string from a remote computer, and then combining the string with a user password using an irreversible function, producing a complete password. However, this approach only works in a network environment and cannot be used, for example, as a means to access a laptop or standalone desktop computer.
Patent application 2005/0177754 is a system for managing passwords. The system uses encryption on a portable access device. The disadvantage of this system is that the host computer must be modified to run specialized encryption software to act in conjunction with the portable access device. This would not be allowed in the general case where systems cannot be altered, such as public libraries and office environments.
U.S. Pat. No. 6,748,541 by Margalit is a portable device that stores information characterizing a user. The portable device provides this characterizing information to the computer system for such purposes as authentication. The invention connects to any “flexibly connectible computer system” (FCCS), which includes computers with USB support. The host computer always initiates the authentication process because no actuator, such as a button or switch, is physically located anywhere on the Margalit invention. Therefore, to accomplish authentication, software to interact with the Margalit invention must to be preinstalled on each host computer protected by the invention. Under these conditions, the invention could not be used on computers that do not have the special software preinstalled, such as at public libraries.
U.S. Pat. No. 6,763,399 by Margalit is similar to '541 by Margalit. In '399 a portable device has encryption capability and stores user-specific information. Similar to the '541 invention, this invention does not have a button or switch physically located on the device to initiate authentication. This device is basically a smartcard with a USB connector. For authentication, this invention requires special software to be installed on each host computer as does the '541 invention, and therefore could not be used with locked-down host computers.